If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

UDP flood attack - backtracking possible?

Hi all,

My question is quite simple really, is it possible to backtrace a UDP flood attack to its original destination?
I know that the attacker can spoof its IP address, but is it possible to get around "the spoof" and find out the real IP?
If possible, what tools would be able to do this?
Thanks!

Re: UDP flood attack - backtracking possible?

That depends on a variety of factors. If it was a direct attack on a system, the attacker might have simply put a laptop on the network and spoofed their IP and/or MAC address. BUT if you have reason to believe that it was done by a computer that is "permanently" on the network (like a library or staff system) and sent their attack via a route (through switches and routers) then there are multiple possible methods. First I would recommend using your favorite packet capture tool to find out what devices routed the packet and trace it back that way. While this will not give you an exact location in the long run it will allow you to pinpoint the network segment that attack was launched from. Then you could wait and see if the attacker attempts to launch another attack. But if you didn't have a capture setup during the attack you may not be able to do this(unless you are able to access the switches or routers manually, then you can look in the logs) .

I would say answer these questions and the Backtrack community might be able to help you more:

1) How do you know it was a UDP flood attack? Did you have a packet capture setup?
2) where do you suspect this attack came from? Outside the network (i.e. the internet) or inside the network?
3) Who has access to the network and what NAC (network access control) methods are setup to prevent random folks from hopping on?
4) even if it is a spoofed IP and MAC that attacker might have been dumb enough to access something that could give them away, like social media or an email account. Can you find any packets to this effect?
5) do you have full access to your networks routers and switches? Is it a business network or a home network? Are you able to access the logs from these switches/routers if it is a business network?
6) did you attempt to trace the IP and MAC address (or even the host name)? If it is a business network you can access the DHCP logs to see who requested the IP address, sometimes attackers are too lazy to spoof MAC addresses, or they keep their computer name the same (i.e. kyle's-PC).